Instructions for using Okta's SAML authentication provider with Squirro.
Table of Contents
Set up Application in Okta
- Log into Okta developer console
- Switch view to "Classic UI"
- Select "Applications"
- Select "Create New App"
- Set "Platform" to "Web"
- Set "Sign on method" to "SAML 2.0"
- Select "Next"
- Set a Name
- Set the Single Sign On URL to
https://SQUIRRO/sso/callback(URL of your Squirro installation plus the path/sso/callback) - Set the Entity ID as https://sso.squirro.com/o/saml2/entity
- Set the application username to "Email"
- Leave other settings as is
- Finish the setup and under the "Sign On" tab, select "View Setup Instructions" for SAML 2.0
- Click on "Download certificate"
- Copy the IDP Metadata to a file on your machine
- On the "Assignments" tab, add the people or groups who should have access to Squirro
Configure SAML Metadata
To configure SAML Single Sign-On with the federation metadata file, go to the Server space in Squirro and in the navigation on the left select Single Sign-On (SAML).
Press the red plus button on the top right. Fill out the form:
- Domain:
* - Enabled: Check
- Metadata file: upload the IDP Metadata file downloaded earlier
- Certificate: upload the certificate file downloaded earlier
- User group: Select a user group which should be assigned to all SSO users
Enable SSO
For security reasons, the final configuration needs to be done directly on the server. Log into the server using SSH or similar means and edit the file /etc/squirro/frontend.ini. Then append the following lines at the end:
[security] sso_enabled = true sso_endpoint = http://localhost:81/studio/extauth_saml/extauth
Reduce HTTP Session
By default Squirro will keep user sessions for 30 days, surviving browser restarts as well. In a Single Sign-On environment, this should be changed to the session expiring once the user restarts the browser. This can be achieved by changing /etc/squirro/frontend.ini and adding the following lines:
[frontend] session_permanent = false